You can link authentication providers to your platform to allow your users to log in using their company credentials. You can integrate any identity provider that is compatible with SAML 2.0 and OpenID protocols. If you use SAML just-in-time, users will be imported during their initial login if they don't already exist on your platform.
This article outlines the steps for setting up a SAML authentication provider in Haiilo. Below, you can view a video tutorial for setting up SAML for AD FS.
You will also need to complete certain steps in your identity provider to finalize the connection. To configure SAML in your identity provider, we recommend referring to the guidelines for your specific identity provider.
While Haiilo itself doesn't offer two-factor authentication, you can use a SAML service to do so. You need to ensure that the service uses a certificate from a trustworthy certification body and TLS 1.2.
Set up a SAML authentication provider
When setting up a SAML authentication provider, it can only apply to one user directory and that directory's users. You need "Manage authentication providers" permission to set up an authentication provider in Haiilo.
- Go to Administration > Authentication
- Select Create authentication provider
- Enter a name. The name is displayed to users on the login screen after "Authenticate with"
- Choose a type: SAML or SAML just-in-time
- Check Active
- Decide if you want to use Automatic login. This automatically redirects the user from the login screen to the identity provider after a few seconds. If users don't want to be redirected, they can select Sign in as a local user before the redirect.
- Decide whether this authentication provider sends session emails for new logins.
- Fill out the fields on each tab as detailed below.
General
- Only check AD FS if your Microsoft Active Directory uses Federation Services.
- Enter the Entity ID, Authentication endpoint, and Logout endpoint from your identity provider's metadata.xml.
- Choose the Logout method. This defines whether the user is logged out locally (only Haiilo) or globally (SAML logout) when they log out of Haiilo.
- Enter an Answer validity, i.e., the timeframe for queries. We recommend the standard 300 seconds.
- Choose the User directory that can use this authentication provider. The options depend on your user directory settings.
Request signing
- Check Sign requests if you want to sign the SAML request with a certificate and a private key. Otherwise, skip this tab.
- Enter a certificate and a private key in the PEM format. You can use a self-signed certificate. The certificate must be added to the ADFS server in the trust relationship settings under "Signing".
- If the private key is password protected, enter the password
Response validation
- In addition to signing requests, you can check the SAML server's response. To do this, add the IdP server's token-signing certificate in the PEM format.
- If you don't want to use this function, check Disable certificate trust check
Just-in-time provisioning
This tab is only available if you select the type SAML just in time.
- Define the attributes that are imported for the users. You can find the necessary values in your metadata.xml.
- You can also synchronize profile fields. Choose the profile fields on Haiilo and assign them according to the values in your metadata.xml.
Finalize
- Select Save to generate the Haiilo endpoints and metadata XML. After saving, these will appear on the General tab.
- Add Haiilo's information to your IdP. Haiilo only establishes a redirect to the IdP and then expects a SAML assertion, in which the login name (e.g., the email address) is passed as NameID.
- For SAML just-in-time, the attributes that are provisioned must also be configured in the SAML assertion.